Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
NetFlow
Christopher Smithee
Lancope
Attack Evolution
Viruses (1990s)
Anti-Virus,
Firewalls
Worms (2000s)
Intrusion
Detection &
Prevention
?????
A Small Portion of the Attacks
2012
The Environment - Once upon a time
Internet
VPN
DMZ
Internal
Network
The Mobile Computing Era
Internet
VPN
DMZ
Internal
Network
And now BYOD or IT Consumerization
Internet
VPN
DMZ
3G
Internet
Internal
4G
Internet
Network
3G
Internet
BYOD is Riskiest
NetFlow Packets
Internet src and dst ip
NetFlow
3G
Internet
Internal
Network
NetFlow
NetFlow Collector
3G
Internet
Transactional Audits of ALL activities
Incident Investigation Using Flows
14
Command and Control
Remote Control:
Are My Hosts Controlled by External Systems?
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
NetFlow(Collector(
Communication to CNC
Method of detection
– Host Lock to known bad list
– Suspect Long Flow and
Beaconing Host alarms
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
NetFlow(Collector(
Controlled Host Begins Network Activities
Reconnaissance/Scan Detection:
Are Hosts Trying to Find Resources to Compromise?
• Top N reports showing any time period across any Host Group
Flow-based Anomaly Detection
Scan Detection Visualized
Cross correlating this data with Directory stores and/or NAC solutions
increases value by providing context
While many times the users won’t be aware their machines are used to enact
the compromise, IRTs need to be able to quickly correlate this data to mitigate
risks.
– Accomplished through portals, SIEM integrations or directly in the flow analysis
tools themselves.
– Click throughs to reduce workflow are optimal
Behavioral Analysis and Host Profiling
31